GDPR Compliance Guide
Times have changed. So must the law.
The General Data Protection Regulation (GDPR) is the latest in a string of EU parliamentary measures designed to put the highest levels of protection around personal data.
Unfortunately, achieving GDPR compliance is not just a matter of ticking a few boxes — it’s more akin to a complete digital transformation.
During the past few years, we’ve been increasingly exposed to troubling headlines of massive data breaches affecting what everyone presumed were well-secured companies.
Many of these data leakages have had crippling effects on corporations, costing them not only billions of dollars in revenue but also seriously affecting their customers. The latter is, after all, to be expected — clients bear the brunt of the damage when their personally identifiable information (PII) is stolen and subsequently leaked to outside parties. They become the de facto victims.
Many half-hearted measures have been taken in order to lower the rate of PII thefts. But cybercrime is too profitable a business model to be stopped by watered-down regulations. Simply wishing for it to go away was never going to work; what we needed is a full-scale revolution of how PII is handled, stored, and secured.
Following this exact logic, members of the European Council voted on what may very well turn out to be the most robust and far-reaching privacy legislation the world has ever seen — the General Data Protection Regulation (GDPR).
Created as a response to the rapidly-evolving challenges posed by the 21st-century digital world, the GDPR aims to introduce a new, better era of personal information security.
By enforcing strict data-handling rules and dishing out severe penalties to those who don’t meet its provisions, this regulation is designed to revolutionize the way companies handle the personal information of their customers and strengthen data protection for everyone within the EU.
In this article, we’ll clear up some of the most common misconceptions looming over the GDPR, while also explaining what companies can do to align with the recently implemented rules.
What is the GDPR?
GDPR is a new EU statute designed to give European citizens control over how their personal data is managed and used.
Ambitious, complex, and very stringent, the GDPR has a wider scope than any previous law of its kind and has been designed with the current cybersecurity landscape in mind.
Some describe it as a “Digital Declaration of Rights” because it places limits on the power of software platforms and reflects a commitment to the principles of digital self-sovereignty.
The GDPR is a welcome replacement for its predecessor — the Data Protection Directive 95/46/EC — a law that has remained essentially unchanged since its adoption in 1995.
After four years in the making, the GDPR was finally approved on April 14, 2016. Soon after that, the European Council announced that the deadline for GDPR implementation would be 25 May 2018, which gave businesses dealing with EU citizens a time frame of about two years to get their act together.
Ultimately, there were no delays — the GDPR became active legislation on 25 May 2018.
While the GDPR is certainly great news for everyday people, its implementation presents some serious problems for companies. Businesses have two options: risk paying fines potentially running into tens of millions of euros, or go through the expensive and time-consuming process of adapting their protocols to adhere to the new directive.
A third option, it appears, does not exist.
Who does the GDPR apply to?
The GDPR is designed to protect EU citizens first and foremost. However, the law’s reach extends well beyond Europe.
According to the official GDPR guidelines, any business dealing with the personal information of EU citizens is affected by the GDPR, regardless of its size or location. This means that even a corporation established outside the EU/EEA is liable if it does any sort of business with EU citizens.
In other words, no matter how small your company might be, if it deals with EU citizens and their data, rest assured that it’s affected by the GDPR.
What does the GDPR change?
The GDPR essentially builds on the EU’s previous data protection directive, which did very little in terms of combating thefts of personal information. These are some of the key changes brought forth by the GDPR:
Broader territorial jurisdiction: The GDPR, unlike its predecessor, applies to all companies handling the personal data of people residing in the EU/EEA, regardless of the firm’s location.
More straightforward processes of giving and withdrawing consent: With the GDPR in place, organizations are no longer allowed to include long, incomprehensible terms and conditions when requesting consent from customers.
Instead, such forms have to be presented in an easily accessible format and written in clear, plain language. Furthermore, withdrawing consent must be as easy as giving it in the first place.
Controlled access rights: Anyone whose data is held by a business must be able to obtain confirmation from organizations as to whether their personal data is being processed and what the purpose of that processing is.
Moreover, customers have the right to request a copy of all the personal data in the firm’s possession, which the company will need to provide free of charge.
Processing as the last resort: According to the GDPR, if you can reasonably achieve a purpose without accessing your clients’ personal information, there is no lawful basis for you to do so.
If you do have a reason to lawfully process data, you can only access that data for as long as is necessary to complete that task. Once it’s served its purpose, you can no longer access it.
The right to be forgotten: The GDPR includes a somewhat obscure clause that gives people “the right to be forgotten.” This basically means the data subject can ask the company to erase all (or some) of his or her personal data.
Unless there are some extraordinary circumstances in play, the data holder is required to promptly delete the specified data.
Distinct security measures for children: Since kids are generally less aware of risks, the GDPR insists on parental consent for children up to the age of 16 when it comes to providing their PII.
Penalties for companies that obtain consent directly from a minor are severe.
Privacy by design: Privacy by design means that each new service or process being implemented into a business needs to treat the protection of personal data as a primary concern.
In other words, privacy must not be an afterthought or a systematic add-on, but a foundational consideration whenever a company develops products or internal systems.
Privacy by default: This simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service.
Data Protection Officers: In order to fully comply with the GDPR, organizations can hire a Data Protection Officer (DPO) who acts as an intermediary between the organization, supervisory authorities, and data subjects.
Data portability: The data subject must be able to send any previously granted personal data from one organization to another.
Meanwhile, the company losing the client is forced to erase all personal records in the process and must not stand in the way of the individual’s decision to leave for another service provider.
Swift reactions in cases of data breaches: If any of the data in their possession is compromised in some way, companies are required to notify supervisory authorities and the owners of said information within 72 hours of discovering the breach.
Large penalties for regulation violations: This is probably the most petrifying facet of the GDPR for corporations; penalties to those found in breach of the regulation can be large and are carried out with vigor.
What is personal data?
In case you’re wondering what precisely passes for personal data in the eyes of the GDPR, here’s a quick clarification: personal information is any information that can be used to directly or indirectly identify the individual.
This means that, as far as the GDPR is concerned, everything on the following list is considered to be PII:
- Photos
- Email addresses
- Bank details
- Social media posts
- Medical information
- IP addresses
- Sexual orientation
- Any information related to religion
- Biometric data
Differentiating the data controller from the data processor
The GDPR requires businesses to modify their practice in terms of who actually handles personal data. With that goal in mind, each company under the GDPR jurisdiction needs to have a data controller and a data processor.
A data controller is an entity that determines the purposes, conditions, and means of processing the personal data of clients. In the majority of cases, this is the company itself.
A data processor, on the other hand, is responsible for handling and processing personal data on behalf of the controller.
Basically, a data controller asserts how and why personal data is processed, while a processor does the actual processing. At the end of the day, however, the responsibility for meeting the GDPR principles falls on both the data processor and the controller.
The distinction between the data controller and the processor is thought to be relevant both due to the organizational impact and because it prevents hired companies from mishandling the data they process for corporations who lease their services. Yes, even companies that process data for other companies fall within the scope of the GDPR.
Fines are determined by the nature and severity of the infringement
A maximum fine of 20M euros / ~$22M, or 4% of global annual turnover from the prior year (whichever is greater)
Failure to adhere to core principles of data processing, infringement of personal rights, or the transfer of personal data to other countries or international organizations that do not ensure an adequate level of data protection. (article 44)
A maximum fine of 10M euros / ~$11M, or 2% of global annual turnover from the prior year (whichever is greater)
Failure to comply with technical and organizational requirements such as impact assessments, breach communications, and certifications. (articles 25, 32, 33, 35)
Punishments for not upholding GDPR rules
The European Council came up with a tiered approach to fines for anyone found in violation of the GDPR.
There are two levels of punishment, depending on the type and scope of the infringement.
The first penalty tier is set at up to 10 million euros or up to 2% of the company’s global annual turnover of the preceding financial year, whichever amount is higher.
The upper-tier basically doubles down on the previous fine — companies are either fined up to 20 million euros or up to 4% of their global annual turnover, whichever is higher.
According to official reports, fines at the lower end apply for breaches like:
- Obtaining consent for processing from an underage individual.
- Maintaining records that show how data is used.
- Categorizing the assembled data in any way.
- Infringing on the rules regarding privacy by design and privacy by default.
- Failing to notify the owner about a breach in a timely fashion.
Fines in the higher tier apply for breaches like:
- Not legitimately, lawfully, and securely processing the data.
- Failing to acquire consent before handling PII.
- Violating the client’s right to privacy.
- Failing to ensure the subject’s data is transferable.
- Limiting access to an individual’s own data.
- Not complying with or in any way restricting a supervisory authority’s access to the company’s data processing system.
- Transferring the subject’s information without explicit permission.
Who determines GDPR non-compliance?
Since non-compliance can easily lead to some severe fines, a reasonable question often stems from all companies under the GDPR: who’s in charge of giving the final word on whether or not the regulation has been violated?
Deciding whether the data controller or processor failed/neglected to abide by the provisions is a task for national data protection authorities.
According to the GDPR, each EU state must have an independent entity that will perform supervisory functions. These organizations are in charge of investigating cases and imposing administrative fines whenever the complaint is deemed a valid one.
Supervisory authorities start investigating companies either on their own initiative or upon a complaint lodged by a data subject.
If a company wishes to get in touch with a supervising organization, the GDPR guidebook clearly states that the supervisory authority must be located in the same country where the company in question has its main establishment in the EU. This is obviously intended to counter the risk of organizations choosing a supervisory authority they perceive as less strict.
If a company is unable to find a GDPR supervisory authority in the country it’s operating in, then the organization is expected to contact a GDPR-enforcement entity in the closest adjacent EU country that has supervisory officials.
The first steps to preparing for the GDPR
Unfortunately, there is no “one size fits all” approach to becoming compliant with the GDPR. Each business needs to examine what it needs to adjust in order to comply.
First and foremost, you need to review what’s required of you before you even start pondering how your firm can adjust to the recent changes. Understanding the current state of your security and data-processing departments is crucial; it will allow you to identify potential problems and work out how best to prevent them.
That being said, there are some relatively basic measures you should consider taking before setting foot in the GDPR era:
- Get a firm grasp on the personal information in your possession and understand with whom it is shared, as well as what terms and conditions govern its use.
- Simplify your terms of service and do everything in your power to make giving and withdrawing consent as uncomplicated as possible for your customers.
- Organize Privacy Impact Assessments in order to identify privacy risks to your customers’ information.
- Invest in state-of-the-art security technologies that will help your business emphasize the protection of your customers’ private information.
- Make sure that creating authorized electronic copies of personal data requires just a few clicks.
- Have the right measures in place to promptly delete customers’ data if they request such a procedure.
Do I need a Data Protection Officer (DPO)?
Depending on your data-processing methods and the overall size of your business, it might make sense for you to hire a Data Protection Officer.
A DPO will take care of duties like informing and advising the employees about their obligations to comply with the GDPR, monitoring compliance with the rules, managing internal data protection activities, and training staff on GDPR compliance.
A DPO is also the first point of contact for supervisory authorities.
Keep in mind that having a DPO is obligatory for public authorities (government agencies, state schools, and publicly-funded museums, for example), organizations that engage in large-scale systematic monitoring of customers (such as online shopping or banking websites), and companies in charge of processing sensitive data either for themselves or for other organizations (like businesses that collect data about prison inmates).
If your company does not fall under any of these categories, you aren’t required to appoint a full-time DPO; the decision of whether or not you hire one is entirely up to you.
Naturally, EU institutions and bodies have already appointed their own DPOs.
Updating existing security systems
Normally, installing a brand new security system is a lot easier than updating an existing one to meet the GDPR standards. Unfortunately, chances are most organizations that still aren’t prepared for the recent law changes will find themselves in the latter category. After all, the GDPR is much stricter than any other law of its kind, so your current security measures likely do not meet at least some of its demands.
To make sure you comply fully and not just partially or at all, you should check your current policies and compare them against the GDPR provisions.
Organize a working group that will identify gaps in your security policies and analyze whether the current solutions are up to par with GDPR standards of compliance.
You should also get your IT security team to map out your complete customer-information storage system and security processes. This method will identify potential shortcomings before they become a problem, as well as account for any obsolete hardware/software that may prove problematic down the line.
Consulting your local GDPR supervisory authority (or an expert) is also a sensible option. This can greatly help you evaluate the state of your security systems and where they stand in terms of GDPR compliance.
How much will GDPR implementation cost?
Although this is a fair question, answering it is far from a straightforward matter — you need to take many factors into account to get even an approximate cost estimate for your GDPR revolution.
Based on an in-depth analysis of publicly available data of FTSE 100 companies in the UK, it turns out that an average FTSE 100 firm faces a bill of around £15 million.
Keep in mind, though, that not all firms within the FTSE 100 index will have to make exactly the same investment. Factors like the overall size, the complexity of IT sectors, the kind of business, and service lines are just some of the determinants that will ultimately affect how much you have to invest.
Across the pond, a PwC survey revealed that 68% of US-based companies planned to spend around $1 million to $10 million to meet GDPR requirements before the legislation came into effect. Just 9% expected to pay more than $10 million.
Some observations about the cost of becoming GDPR compliant
While identifying an exact price range for achieving GDPR compliance is challenging, some observations can give us a clearer picture of what to expect.
First of all, the cost of implementation is always directly proportional to the size of the firm.
Furthermore, it’s estimated that most companies face an average implementation cost of £300–450 per employee across all sectors, although this varies depending on the industry.
From the moment the GDPR was announced, banks were expected to be the ones who face the highest implementation cost, which is not surprising considering they offer a wide range of services to large numbers of customers and have complex IT systems.
Banks and large insurance firms aside, organizations that deal with energy, commodities, utilities, retail goods, telecommunications, and technology should all expect to have to pay around £15–19 million.
Large businesses in other sectors are probably looking at a bill of around £5–11 million.
Comparing potential fines with implementation costs
If we stick to the estimate that an average FTSE 100 firm needs to fork out around £300–450 per employee to comply with the GDPR, it’s worth comparing these implementation costs with the potential fines we spoke about earlier.
For FTSE 100 companies, the 4% annual turnover fine — which is the maximum a firm can be charged for a GDPR oversight — equates to £800k for the smallest organizations and can go all the way to £7.1 billion for the largest ones.
This means that, on average, a fine of 4% of revenue is actually 30 to 80 times higher than the cost of implementing changes in the first place. This illustrates that besides being a smart move for the future, complying with the GDPR data-processing standards can actually save companies huge amounts of money in the long run.
For banks, however, a fine of 4% of revenue is actually only 13 times bigger than what the initial implementation cost is.
Blockchain and the GDPR
The centralized models of data storage we’re used to relying on the implicit premise that the custodians of our information are trustworthy. Blockchain systems, however, let math — executed and validated by a network of computers — function as a substitute for the middlemen.
Since many organizations are keen to adopt this emerging technology, it’s fair to assume some businesses would consider how blockchain software might help them transition to the GDPR era.
At least at first glance, using blockchain to solve the GDPR problem really does make sense.
However, once you pass the point of initial excitement, it becomes apparent that some of blockchain’s most important principles could actually conflict with the GDPR.
So, despite both challenging the status quo of how personal data is managed, the GDPR and blockchain don’t quite see eye-to-eye about how such a goal should be fulfilled.
Why blockchain and the GDPR make sense together
Of course, just because two entities don’t work together now doesn’t mean they couldn’t become perfectly suited to each other, albeit with a few tweaks.
Blockchain and the GDPR could do just that.
As a distributed database that maintains a continuously growing list of records, each block in a blockchain contains a timestamp and a link to the previous block. It’s easy to see how well this aligns with the GDPR transparency requirement.
Here are some other reasons why blockchains may be perfect for securing personal data:
- Blockchain technology makes use of cryptography and digital signatures to store and manage information, offering a safe way for users to authenticate their identity online.
- Blockchain’s decentralized nature eliminates the risk of a single point of failure, so the system’s safety is rarely questioned.
- Since blockchain creates encrypted blocks of ordered records, a potential GDPR adaptation of the system would provide completely traceable data.
Obstacles standing between blockchain and the GDPR
At its very core, blockchain is a governance-friendly technology that ensures the integrity of data at all times. Although that’s a very useful trait in its own right, this feature conflicts in many ways with the GDPR provisions.
In other words, great difficulties could arise in creating a GDPR-friendly blockchain:
- It is almost impossible to change or delete the information contained within the blocks, so the essential requirement of data subjects being able to alter and delete their PII might prove challenging to develop on a blockchain.
- It’s unclear who controls data within a blockchain system, as every block is accessible to everyone on the network. The idea of personal data belonging to one individual on a blockchain could be problematic, as there’s no way of knowing who has access to that data.
- For a blockchain to be successful, every computer within its network needs to have a copy of the stored data, meaning that every party’s private information would be publicly available.
Enter Blinking, a multi-factor identity-management system that solves most of your GDPR problems
Blinking is a digital identity-management system that emphasizes security and shares the same end goal as the GDPR: giving individuals ultimate control over their personal information.
Blinking users are the sole owners of their identity information. They don’t have to rely on third parties to keep their data safe.
Despite all the challenges of making a GDPR-friendly blockchain system, Blinking is clear proof that such a feat is possible. Based on some clever modifications, the programmers of Blinking have not only made it possible for users to change their data on a blockchain; they’ve created a technology that allows users to delete their information entirely.
By doing so, the coders behind Blinking have created a secure, user-friendly platform that harnesses all the good aspects of a decentralized system and uses them to comply with the GDPR rules. As such, Blinking is valuable for businesses who wish to better manage sensitive data in their possession.
Blinking complies with the GDPR by giving its users all the freedoms mandated by the recent law, all with top-level security. It provides solutions to issues with breach notifications, controlling access, deleting and moving data, and altering information. As such, Blinking provides the model for how individuals will treat their data in the future.
Use the GDPR as an opportunity to get better
When it comes to the GDPR, it’s easy to lose yourself in the implementation costs and warnings of potentially devastating fines.
But it’s important to keep some perspective. Try to see the GDPR as an opportunity to better protect your business against cyber-attacks and demonstrate your dedication to both current and future clients.
After all, if everything goes as planned, the GDPR will turn out to be the most comprehensive set of statutes and corresponding legal obligations in the history of data management.
Although the process of adapting to the GDPR might seem daunting, your business has the chance to be at the forefront of one of the biggest legal changes of the decade.
Guide summary
The General Data Protection Regulation (GDPR) is a new EU statute designed to give European citizens control over how their personal data is stored and used. Often referred to as the “Digital Declaration of Rights,” the GDPR officially became enforceable on 25 May 2018.
Although the GDPR focuses on people living in the EU, this legislation actually states that any business dealing with the personal information of EU residents is affected by it regardless of size or location.
The GDPR introduced many changes to the way companies dealing with EU citizens conduct business:
- Broader territorial jurisdiction
- More straightforward processes of giving and withdrawing consent
- Controlled access rights
- Processing as the last resort
- The right to be forgotten
- Distinct security measures for children
- Privacy by design
- Privacy by default
- Data Protection Officers
- Data portability
- Swift reactions in cases of data breaches
- Penalties for regulation violations
As far as the GDPR is concerned, everything on the following list is considered to be personal information:
- Photos
- Email addresses
- Bank details
- Social media posts
- Medical information
- IP addresses
- Sexual orientation
- Any information related to religion
- Biometric data
From the moment the GDPR was in effect, the law started distinguishing between data controllers and data processors. The data controller asserts how and why personal data is processed; the data processor does the actual processing.
The European Council decided to enforce a tiered approach to fines for any firm found in violation of GDPR rules. Companies can be penalized up to 10 or 20 million euros (depending on the severity of their breach) or 2–4% of their annual global turnover — whichever amount is higher.
Determining noncompliance is the duty of local supervisory authorities; each EU state has an independent entity that performs these supervisory functions.
Since there’s no “one-size-fits-all” approach to preparing for the GDPR, getting adjusted to the new rules is far from simple. First and foremost, firms need to:
- Get a firm grasp of the personal information in their possession.
- Significantly simplify their terms of service.
- Improve their processes of giving and withdrawing consent.
- Organize privacy impact assessments.
- Invest in state-of-the-art security technologies.
- Implement simple processes for deleting information and making authorized electronic copies of data.
Data Protection Officers (DPOs) are in charge of monitoring compliance with the new GDPR rules. Depending on the kind of business you are in, hiring a DPO is either mandatory or optional. Having a DPO is obligatory for public authorities, firms engaged in large-scale systematic monitoring of customers, and companies in charge of processing sensitive data.
Many factors must be considered to even roughly estimate the cost of becoming compliant with the GDPR. An average FTSE 100 firm will face a bill of around £15 million, but this varies hugely depending on factors like the overall size of the business, the complexity of its IT systems, and what the business actually does. One thing is certain for everyone: Potential fines are much higher than the cost of implementing changes in the first place.
Although blockchain technology and the GDPR are fundamentally different on many fronts, the two share a lot of mutual ground.
Blinking is a multi-factor, blockchain-backed digital identity-management system that features two important solutions for businesses. Namely, the Blinking KYC module and the Blinking GDPR module. KYC module is a Know-Your-Customer tool based on blockchain and Blinking’s basic architecture which lowers operational costs for businesses involved in a trusted consortium. GDPR module provides businesses with an out-of-the-box solution for handling their user or customer private & personal data in line with the new EU regulation.